sonarr-repo-only/src/NzbDrone.Core/Security/X509CertificateValidationSe...

using System.Linq;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using NLog;
using NzbDrone.Common.Extensions;
using NzbDrone.Common.Http.Dispatchers;
using NzbDrone.Core.Configuration;

namespace NzbDrone.Core.Security
{
    public class X509CertificateValidationService : ICertificateValidationService
    {
        private readonly IConfigService _configService;
        private readonly Logger _logger;

        public X509CertificateValidationService(IConfigService configService, Logger logger)
        {
            _configService = configService;
            _logger = logger;
        }

        public bool ShouldByPassValidationError(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            var targetHostName = string.Empty;

            if (sender is not SslStream && sender is not string)
            {
                return true;
            }

            if (sender is SslStream request)
            {
                targetHostName = request.TargetHostName;
            }

            // Mailkit passes host in sender as string
            if (sender is string stringHost)
            {
                targetHostName = stringHost;
            }

            if (certificate is X509Certificate2 cert2 && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
            {
                _logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", targetHostName);
            }

            if (sslPolicyErrors == SslPolicyErrors.None)
            {
                return true;
            }

            if (targetHostName == "localhost" || targetHostName == "127.0.0.1")
            {
                return true;
            }

            var ipAddresses = GetIPAddresses(targetHostName);
            var certificateValidation = _configService.CertificateValidation;

            if (certificateValidation == CertificateValidationType.Disabled)
            {
                return true;
            }

            if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses &&
                ipAddresses.All(i => i.IsLocalAddress()))
            {
                return true;
            }

            _logger.Error("Certificate validation for {0} failed. {1}", targetHostName, sslPolicyErrors);

            return false;
        }

        private IPAddress[] GetIPAddresses(string host)
        {
            if (IPAddress.TryParse(host, out var ipAddress))
            {
                return new[] { ipAddress };
            }

            return Dns.GetHostEntry(host).AddressList;
        }
    }
}
Use modern HttpClient Co-Authored-By: ta264 <ta264@users.noreply.github.com> 2021-11-13 21:10:42 +00:00			`using System.Linq;`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00			`using System.Net;`
			`using System.Net.Security;`
			`using System.Security.Cryptography.X509Certificates;`
			`using NLog;`
			`using NzbDrone.Common.Extensions;`
Use modern HttpClient Co-Authored-By: ta264 <ta264@users.noreply.github.com> 2021-11-13 21:10:42 +00:00			`using NzbDrone.Common.Http.Dispatchers;`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00			`using NzbDrone.Core.Configuration;`

			`namespace NzbDrone.Core.Security`
			`{`
Use modern HttpClient Co-Authored-By: ta264 <ta264@users.noreply.github.com> 2021-11-13 21:10:42 +00:00			`public class X509CertificateValidationService : ICertificateValidationService`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00			`{`
			`private readonly IConfigService _configService;`
			`private readonly Logger _logger;`

Improve certificate validation registration Fixed: Certificate validation during startup Fixed: Errors removing Windows service Closes #3037 Closes #3038 2019-04-11 02:34:21 +00:00			`public X509CertificateValidationService(IConfigService configService, Logger logger)`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00			`{`
			`_configService = configService;`
			`_logger = logger;`
			`}`

Use modern HttpClient Co-Authored-By: ta264 <ta264@users.noreply.github.com> 2021-11-13 21:10:42 +00:00			`public bool ShouldByPassValidationError(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00			`{`
Use modern HttpClient Co-Authored-By: ta264 <ta264@users.noreply.github.com> 2021-11-13 21:10:42 +00:00			`var targetHostName = string.Empty;`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00
Use modern HttpClient Co-Authored-By: ta264 <ta264@users.noreply.github.com> 2021-11-13 21:10:42 +00:00			`if (sender is not SslStream && sender is not string)`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00			`{`
			`return true;`
			`}`

Use modern HttpClient Co-Authored-By: ta264 <ta264@users.noreply.github.com> 2021-11-13 21:10:42 +00:00			`if (sender is SslStream request)`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00			`{`
Use modern HttpClient Co-Authored-By: ta264 <ta264@users.noreply.github.com> 2021-11-13 21:10:42 +00:00			`targetHostName = request.TargetHostName;`
			`}`

			`// Mailkit passes host in sender as string`
			`if (sender is string stringHost)`
			`{`
			`targetHostName = stringHost;`
			`}`

			`if (certificate is X509Certificate2 cert2 && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")`
			`{`
			`_logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", targetHostName);`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00			`}`

			`if (sslPolicyErrors == SslPolicyErrors.None)`
			`{`
			`return true;`
			`}`

Use modern HttpClient Co-Authored-By: ta264 <ta264@users.noreply.github.com> 2021-11-13 21:10:42 +00:00			`if (targetHostName == "localhost" \|\| targetHostName == "127.0.0.1")`
Fixed: Unnecessary certificate validation errors on localhost/loopback closes #4215 2021-01-14 21:04:54 +00:00			`{`
			`return true;`
			`}`

Use modern HttpClient Co-Authored-By: ta264 <ta264@users.noreply.github.com> 2021-11-13 21:10:42 +00:00			`var ipAddresses = GetIPAddresses(targetHostName);`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00			`var certificateValidation = _configService.CertificateValidation;`

			`if (certificateValidation == CertificateValidationType.Disabled)`
			`{`
			`return true;`
			`}`

Fixed: Certificate validation for local IP addresses instead of hostnames 2019-04-10 03:57:12 +00:00			`if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses &&`
Log Real IP on Authentication failure in case of a reverse proxy closes #3711 2020-04-27 21:58:35 +00:00			`ipAddresses.All(i => i.IsLocalAddress()))`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00			`{`
			`return true;`
			`}`

Use modern HttpClient Co-Authored-By: ta264 <ta264@users.noreply.github.com> 2021-11-13 21:10:42 +00:00			`_logger.Error("Certificate validation for {0} failed. {1}", targetHostName, sslPolicyErrors);`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00
			`return false;`
			`}`
Improve certificate validation registration Fixed: Certificate validation during startup Fixed: Errors removing Windows service Closes #3037 Closes #3038 2019-04-11 02:34:21 +00:00
			`private IPAddress[] GetIPAddresses(string host)`
			`{`
			`if (IPAddress.TryParse(host, out var ipAddress))`
			`{`
StyleCop 2021-08-03 04:43:28 +00:00			`return new[] { ipAddress };`
Improve certificate validation registration Fixed: Certificate validation during startup Fixed: Errors removing Windows service Closes #3037 Closes #3038 2019-04-11 02:34:21 +00:00			`}`

			`return Dns.GetHostEntry(host).AddressList;`
			`}`
HTTPS certificate validation options New: Enable HTTPS certificate validation by default New: Option to disable certificate validation for all or only local addresses 2019-03-29 02:20:40 +00:00			`}`
			`}`